xpra icon
Bug tracker and wiki

Version 8 (modified by Antoine Martin, 3 years ago) (diff)

--

http://xpra.org/icons/docker.png

Xpra + Docker

The information below has not been verified by xpra.org, use at your own risk.

Rationale

Xpra and docker can be used to isolate applications from unix user accounts.

Regular unix applications have full access to all the files in the user's home directory.

For example, it can be used to constrain a web browser (or a proprietary application like Skype) to the resource it really needs to run and no more. The applications segregated in this way have a very restricted view of the system they run on.

Resources

  • Docker
  • https://github.com/rogaha/docker-desktop is a working showcase for combining docker and Xpra for the desktop - using Xephyr to forward a whole desktop, which is a little odd since one of the major benefits of xpra is rootless applications (the version numbers they refer to are confusing too)
  • Subuser tries to wrap the solution to make it more easily accessible - but nothing about xpra there...

Setup

Xpra needs to connect to the xpra server running inside the docker container. Your options are:

  • using a TCP socket or running an SSH server in the container - neither are very practical
  • sharing the xpra socket directory between the host and the container. To do this you have multiple options:
    • bind mount the directory containing the socket (.xpra or /tmp usually)
    • use the socket-dir option at either end to point to the same location
    • you could also create symlinks to individual sockets, but this can get messy very quickly

Xpra uses the hostname as part of the unix domain socket name. If the hostname is different inside the container, you will need one of those workarounds:

  • symlink or bind mount the server's unix domain socket if that's what you want to use to connect
  • override the hostname used with the environment variable XPRA_SOCKET_HOSTNAME, ie:
    XPRA_SOCKET_HOSTNAME=myhostname xpra attach
    
  • starting with version 0.15.3, you can connect to a unix domain socket by path using:
    xpra attach socket:/path/to/yourcontainers/socket
    

In order to be able to use mmap acceleration, the server expects to find the mmap file in the exact same path that the client used to create it. So you must ensure that the path to the mmap file (by default found in $TMPDIR) is the same on the host and in the container. (again, bind mounting a directory solves this problem)